[Bug 1390] iptables -m string not working with --algo bm and OUTPUT chain under 5.3.x

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Fri Jan 31 06:01:36 CET 2020


https://bugzilla.netfilter.org/show_bug.cgi?id=1390

Doug Smythies <dsmythies at telus.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dsmythies at telus.net

--- Comment #1 from Doug Smythies <dsmythies at telus.net> ---
Created attachment 584
  --> https://bugzilla.netfilter.org/attachment.cgi?id=584&action=edit
iptables example rules and packet counters

I confirm your issues with the bm algorithm and "POST".
I confirm that the otherwise same rule works with the kmp algorithm.
I deny that the otherwise same rule and "test" as the pattern works.

If an offset is introduced such that the search area only looks at the payload
portion of the packet (offset 52), then it works.

I started with kernel 5.5-rc6, but narrowed this down to between kernel 5.1 and
5.2-rc1, but do not have time to bisect the kernel.

In the attachment, output rule 9 was added after rule 10 had been traversed 38
times. Thereafter rule 9 was traversed.

By this crude experiment, it seems to be byte 48 that messes things up. On my
computer it seems to be 0X05 (based on a sample of 1).

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200131/21058c8b/attachment.html>


More information about the netfilter-buglog mailing list